Configure KMIP Backup Encryption for Ops Manager
Ops Manager can encrypt backup jobs. You can use the Kubernetes Operator to configure KMIP backup encryption for Ops Manager. To learn more, see Encrypted Backup Snapshots.
Limitations
For deployments where the same Kubernetes Operator instance is not managing both the MongoDBOpsManager and MongoDB custom resources, you must manually configure KMIP backup encryption client settings in the MongoDBOpsManager custom resource. This requirement involves including client certificates for each MongoDB database, which you can achieve by overriding the Ops Manager Pod's StatefulSet to mount the certificates. To learn more, see Manually Configure KMIP Backup Encryption.
Procedure
Configure the Ops Manager custom resource to use KMIP backup encryption.
Configure the spec.backup.encryption.kmip
settings.
1 apiVersion: mongodb.com/v1 2 kind: MongoDBOpsManager 3 metadata: 4 name: om-backup-kmip 5 spec: 6 replicas: 1 7 version: 6.0.0 8 adminCredentials: ops-manager-admin-secret 9 backup: 10 encryption: 11 kmip: 12 server: 13 url: kmip.corp.mongodb.com:5696 14 ca: mongodb-kmip-certificate-authority-pem
Create the secret of the client certificate and private key.
Run the following command:
kubectl -n mongodb create secret tls mongodb-kmip-client-pem-my-replica-set-client-kmip \ --cert=<path-to-cert-file> \ --key=<path-to-key-file>
The client certificate secret name has the following naming
convention inferred from the MongoDB
CustomResourceDefinition:
<clientCertificatePrefix>-<objectMeta.name>-client-kmip
| Human-readable label specified in the
|
| Human-readable label specified in the |
| Fixed suffix that the Kubernetes Operator assumes. |
To learn more, see kubernetes.io/tls.
Configure your MongoDB database deployment.
Configure the spec.backup.encryption.kmip
settings.
1 apiVersion: mongodb.com/v1 2 kind: MongoDB 3 metadata: 4 name: my-replica-set 5 spec: 6 members: 3 7 version: 4.0.20 8 type: ReplicaSet 9 backup: 10 encryption: 11 kmip: 12 client: 13 clientCertificatePrefix: mongodb-kmip-client-pem
To learn more, see deploy a replica set or deploy a sharded cluster.